Kernel: LWN Coverage (No Longer Paywalled) and Initial HDMI 2.0 Support With Nouveau Slated For The Next Linux Kernel

Back in the halcyon days of the previous century, those with a technical inclination often became overly acquainted with modems—not just the strange sounds they made when connecting, but the AT commands that were used to control them. While the AT command set is still in use (notably for GSM networks), it is generally hidden these days. But some security researchers have found that Android phones often make AT commands available via their USB ports, which is something that can potentially be exploited by rogue USB devices of various sorts.

A paper [PDF] that was written by a long list of researchers (Dave (Jing) Tian, Grant Hernandez, Joseph I. Choi, Vanessa Frost, Christie Ruales, Patrick Traynor, Hayawardh Vijayakumar, Lee Harrison, Amir Rahmati, Michael Grace, and Kevin R. B. Butler) and presented at the 27th USENIX Security Symposium described the findings. A rather large number of Android firmware builds were scanned for the presence of AT commands and many were found to have them. That's not entirely surprising since the baseband processors used to communicate with the mobile network often use AT commands for configuration. But it turns out that Android vendors have also added their own custom AT commands that can have a variety of potentially harmful effects—making those available over USB is even more problematic.

They started by searching through 2018 separate Android binary images (it is not clear how that number came about, perhaps it is simply coincidental) from 11 different vendors. They extracted and decompressed the various pieces inside the images and then searched those files for AT command strings. That process led to a database of 3500 AT commands, which can be seen at the web site for ATtention Spanned—the name given to the vulnerabilities.

The Linux Security Module (LSM) subsystem allows security modules to hook into many low-level operations within the kernel; modules can use those hooks to examine each requested operation and decide whether it should be allowed to proceed or not. In theory, just about every low-level operation is covered by an LSM hook; in practice, there are some gaps. A discussion regarding one of those gaps — low-level ioctl() operations on XFS filesystems — has revealed a thorny problem and a significant difference of opinion on what the correct solution is.

In late September Tong Zhang pointed out that xfs_file_ioctl(), the 300-line function that dispatches the various ioctl() operations that can be performed on an XFS filesystem, was making a call to vfs_readlink() without first consulting the security_inode_readlink() LSM hook. As a result, a user with the privilege to invoke that operation (CAP_SYS_ADMIN) could read the value of a symbolic link within the filesystem, even if the security policy in place would otherwise forbid it. Zhang suggested that a call to the LSM hook should be added to address this problem.

Days after Nouveau DRM maintainer Ben Skeggs began staging changes for this open-source NVIDIA driver ahead of the next kernel cycle, this evening Ben Skeggs submitted the DRM-Next pull request to queue this work for the Linux 4.20/5.0 kernel cycle.

As covered in that previous article, there isn't a whole lot on the Nouveau kernel driver front at this time. Skeggs summed up these open-source NVIDIA driver changes as: "Just initial HDMI 2.0 support, and a bunch of other cleanups."

One of the most common tasks carried out by device drivers is setting up DMA operations for data transfers between main memory and the device. Often, data read into memory from one device will be immediately written, unchanged, to another device. Common examples include carrying the image between the camera and screen on a mobile phone, or downloading files to be saved on a disk. Those transfers have an impact on the CPU even if it does not use the data directly, due to higher memory use and effects like cache trashing. There are cases where it is possible to avoid usage of the system memory completely, though. A patch set (posted by Logan Gunthorpe with contributions by Christoph Hellwig and Steve Wise) has been in the works for some time that addresses this case for PCI devices using peer-to-peer (P2P) transfers, with a focus on offering an offload option for the NVMe fabrics target subsystem.

Audiocasts: Open Source Security Podcast, Linux Action News and More

On this episode of This Week in Linux, we got a lot of application releases to talk about like Nextcloud, Firefox, Vivaldi, Kdenlive and more. We got an update for the Emby proprietary news we covered last week, there’s a fork. The kernel team are discussing the potential removal of the x32 Subarchitecture. There’s some possibilities that Intel could be Open-Sourcing the FSP and we’ll talk about what that could mean. Later in the show we’ll talk Security News related to a SQLite Bug, New Malware Families Discovered, Apple’s T2 Chip issues with Linux and yet another security hole found in Google+. Then we’ll round out the show with some Linux Gaming news including some great games on sale. All that and much more!

Intel developers are working to open source the FSP, Fuchsia SDK and device repos show up in Android AOSP, and our BSD buddies have some big news.
Plus the pending removal of the x32 sub-architecture from Linux, why Uber is joining up with the Linux Foundation, and more.

Katherine Druckman and Doc Searls talk to David Egts (@davidegts), Chief Technologist North America for the Public Sector at Red Hat (@redhatgov) about open source enthusiasm.

Manjaro vs Arch Linux Distribution Comparison

If you’ve looked at the DistroWatch Page Hit Ranking statistics in recent months, you might have noticed that the top place is currently occupied by Manjaro Linux, or simply Manjaro, an Arch Linux derivative that’s designed to work straight out of the box.
We wanted to know the secret behind Manjaro’s success, which is how this detailed comparison came to life. Regardless of whether you’re a seasoned Arch Linux veteran with a desire to explore what other Linux distributions have to offer or you’re a Linux newbie who’s not sure which of the two distributions to use, this article is for you.

Linux Mint 19.1

Purism Ships Librem 5 Dev Kits as the Linux Phones Will Arrive in April 2019

Based on the newer and more powerful i.MX 8M 64-bit ARM boards, upgrading older devs kits based on the generic i.MX6 boards, the Librem 5 dev kits will soon arrive in the hands of early adopters as Purism needs all the help it can get from the community to continue and accelerate the development of its Linux-powered, privacy-focused phones, the Librem 5.
Also: Purism's Librem 5 Developer Kits Finally Shipping, Linux Phone Price Going Up To $699

Logitech Options is an app that controls all of Logitech’s mice and keyboards. It offers several different configurations like Changing function key shortcuts, Customizing mouse buttons, Adjusting point and scroll behavior and etc. This app contained a huge security flaw that was discovered by Tavis Ormandy who is a Google security researcher. It was found that Logitech Options was opening a WebSocket server on each individual computer Logitech Options was run on. This WebSocket server would open on port 10134 on which any website could connect and send several various commands which would be JSON-encoded.

I am extremely pleased to announce the public release of pwnedkeys.com – a database of compromised asymmetric encryption keys. I hope this will become the go-to resource for anyone interested in avoiding the re-use of known-insecure keys. If you have a need, or a desire, to check whether a key you’re using, or being asked to accept, is potentially in the hands of an adversary, I would encourage you to take a look.

RawTherapee 5.5 Released

RawTherapee provides you with a selection of powerful tools with which you can practise the art of developing raw photos. Be sure to read RawPedia to understand how each tool works so that you may make the most of it. A great place to start is the "Getting Started" article. Click on "Main page" in the top-left corner when you have finished reading that article to see all other articles.
If you find a problem, don't keep it to yourself. Find out how to write useful bug reports to get the problem fixed.

Games: ATOM RPG, Humble Store, KURSK, Liftoff and More

After little over a year in Early Access after a successful Kickstarter campaign, the surprisingly impressive ATOM RPG is about to release in full.
Mark December 19th on your calendar, as ATOM RPG seems to have a few surprises ready for the full release. This will include a third global map, which takes place in a mutant-ridden metropolis named Dead city; plenty of new NPCs and quests; you can drive cars across the wasteland; new dungeons to explore; new traits for characters and a new end-game cinematic.

If you're in the mood for something new and GOG isn't your thing with their big sale going on, Humble also have some interesting choices.
There's another 2K publisher sale going on right now, with top deals like Civilization VI (recently got a patch to make Linux online play cross-platform) has 75% off plus the Civilization VI: Rise and Fall expansion is currently 35% off. XCOM 2 is also 75% off and it's easily one of my favourite strategy games. Even better with the War of the Chosen expansion with 50% off. Looking further, you would be pretty mad yourself to pass on Mad Max with 75% off!

It seems to have released to thoroughly mixed reviews, with all sorts of issues. The big update has reduced loading time, adding in various optimisations, new and improved animations, an improved UI and so on. Sounds like they're really putting in the effort to improve it, which is great. They've confirmed they're working on many more improvements too!

For those who love the idea of playing with drones, Liftoff is an interesting drone sim that's available on Linux. Liftoff: FPV Drone Racing launched back in September, with it seeing Linux support at release.

There's a new release of the Pixel Wheels racing game. It now "remembers the best lap and best total time for each track and shows you a congratulation message when you reach the top 3 in either categories", countdown now has sound and has several other new features. The game is available for Linux, Android, Windows and Mac, and you can get it from here.